Always get "404 page not found" or NET::ERR_CERT_AUTHORITY_INVALID

Hi there, I need some help with traefik. I am using it now for quite sometime successfully but a while ago things broke and I cannot get them back working.

I am running traefik 2.4.11 on docker, dashboard is up and running and have configured a whoami service for testing.

On the dashboard everything looks fine and green. I have a http router with rule Host(whoami.mydomain.de) on entrypoints web and websecure. It has a green TLS sign and fetched its certs from letsencrypt. The router points to a docker service which is marked as "success" and points to the whoami containers endpoint. Currently i have no general http to https redirection. Now i am seeing this behaviour:

calling http://whoami.mydomain.de in firefox => 404 page not found
calling https://whoami.mydomain.de in firefox => successful whoami page
calling https://whoami.mydomain.de in chrome or edge => NET::ERR_CERT_AUTHORITY_INVALID

The certifcate traefik delivered to chrome or edge is the traefik default cert. And now i am stuck. Why does treafik deliver the default cert to chrome and edge and why does it send the letsencrypt cert to firefox?

Hello @jhoos70,

Can you please provide your traefik configuration?

What does curl -v https://whoami.mydomain.de give you? Does it connect properly?

Of cause. This is what curl returns:

curl -v whoami.mydomain.de
*   Trying 84.128.20.xxx:80...
* Connected to whoami.mydomain.de (84.128.20.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: whoami.mydomain.de
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 22 Jul 2021 17:03:15 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host whoami.mydomain.de left intact

And here is my config:

################################################################
# Global configuration
################################################################
[global]
  checkNewVersion = true
  sendAnonymousUsage = true

################################################################
# Entrypoints configuration
################################################################

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"


################################################################
# Traefik logs configuration
################################################################

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
[log]

  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level = "DEBUG"

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  filePath = "log/traefik.log"

  # Format is either "json" or "common".
  #
  # Optional
  # Default: "common"
  #
  # format = "json"

################################################################
# API and dashboard configuration
################################################################

# Enable API and dashboard
[api]

  # Enable the API in insecure mode
  #
  # Optional
  # Default: false
  #
  insecure = true

  # Enabled Dashboard
  #
  # Optional
  # Default: true
  #
  dashboard = true

################################################################
# Docker configuration backend
################################################################

# Enable Docker configuration backend
[providers.docker]

  # Docker server endpoint. Can be a tcp or a unix socket endpoint.
  #
  # Required
  # Default: "unix:///var/run/docker.sock"
  #
  # endpoint = "tcp://10.10.10.10:2375"
  endpoint = "unix:///var/run/docker.sock"

  # Default host rule.
  #
  # Optional
  # Default: "Host(`{{ normalize .Name }}`)"
  #
  # defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)"
  

  # Expose containers by default in traefik
  #
  # Optional
  # Default: true
  #
  # exposedByDefault = false


[certificatesResolvers]
  [certificatesResolvers.letsencrypt.acme]
    email = "mydomain@web.de" #Email Adresse hier anpassen
    storage = "/etc/traefik/ACME/acme.json"
    [certificatesResolvers.letsencrypt.acme.httpChallenge]
      # used during the challenge
      entryPoint = "web"
    [certificatesResolvers.letsencrypt.acme.tlsChallenge]

And this is my docker-compose for traefik:

version: '3.7'

services:
  traefik:
    # The official v2 Traefik docker image
    image: traefik:latest
    container_name: traefik
    restart: unless-stoppe
      

    labels:
      - traefik.enable=true
      - traefik.http.routers.api.entrypoints=web,websecure,traefik
      - traefik.http.routers.api.tls.certresolver=letsencrypt
      - traefik.http.routers.api.rule=Host(`traefik.mydomain.de`)
      - traefik.http.routers.api.service=api@internal
      - traefik.http.routers.api.middlewares=auth
      - traefik.http.middlewares.auth.basicauth.users=admin:$$apU3NycF1hJ1


    ports:
      # The HTTP port
      - "80:80"
      # The HTTPS port
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      - "8080:8080"
      # nodejs express
      - "3002:3001"

    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/etc/traefik
      - /etc/localtime:/etc/localtime
      #- ./letsencrypt:/letsencrypt
      - ./log:/log
    networks:
      - web    

networks:
  web:
    external:
      name: web
  default:
    driver: bridge

Hello @jhoos70,

If you are using the dashboard to test your rule, you need to remember that the dashboard doesn't listen on /, but /dashboard/: (Dashboard - Traefik)

Also, you provided a curl to the http domain, could you try the tls request:
curl -v https://whoami.mydomain.de

Curl should show what certificate is being served.

Ah, sorry my fault. Here's curl to https:

curl -v https://whoami.mydomain.de
*   Trying 84.128.20.xxx:443...
* Connected to whoami.mydomain.de (84.128.20.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Here is the log after startup. As far as I understand they say traefik found ACME certificates and does not need to recreate them.

time="2021-07-22T19:38:02+02:00" level=info msg="Traefik version 2.4.11 built on 2021-07-15T15:03:36Z"
time="2021-07-22T19:38:02+02:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true,\"sendAnonymousUsage\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"filePath\":\"log/traefik.log\",\"format\":\"common\"},\"certificatesResolvers\":{\"letsencrypt\":{\"acme\":{\"email\":\"mydomain@web.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/ACME/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"tlsChallenge\":{}}}},\"pilot\":{\"dashboard\":true}}"
time="2021-07-22T19:38:02+02:00" level=info msg="Stats collection is enabled."
time="2021-07-22T19:38:02+02:00" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
time="2021-07-22T19:38:02+02:00" level=info msg="Help us improve Traefik by leaving this feature on :)"
time="2021-07-22T19:38:02+02:00" level=info msg="More details on: https://doc.traefik.io/traefik/contributing/data-collection/"
time="2021-07-22T19:38:02+02:00" level=debug msg="Start TCP Server" entryPointName=websecure
time="2021-07-22T19:38:02+02:00" level=debug msg="Start TCP Server" entryPointName=traefik
time="2021-07-22T19:38:02+02:00" level=debug msg="Start TCP Server" entryPointName=web
time="2021-07-22T19:38:02+02:00" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2021-07-22T19:38:02+02:00" level=info msg="Starting provider *docker.Provider {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"exposedByDefault\":true,\"swarmModeRefreshSeconds\":\"15s\"}"
time="2021-07-22T19:38:02+02:00" level=info msg="Starting provider *traefik.Provider {}"
time="2021-07-22T19:38:02+02:00" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
time="2021-07-22T19:38:02+02:00" level=info msg="Starting provider *acme.Provider {\"email\":\"mydomain@web.de\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/etc/traefik/ACME/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"tlsChallenge\":{},\"ResolverName\":\"letsencrypt\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
time="2021-07-22T19:38:02+02:00" level=info msg="Testing certificate renew..." providerName=letsencrypt.acme
time="2021-07-22T19:38:02+02:00" level=debug msg="Configuration received from provider internal: {\"http\":{\"routers\":{\"acme-http\":{\"entryPoints\":[\"web\"],\"service\":\"acme-http@internal\",\"rule\":\"PathPrefix(`/.well-known/acme-challenge/`)\",\"priority\":2147483647},\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"acme-http\":{},\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"tls\":{}}" providerName=internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Configuration received from provider letsencrypt.acme: {\"http\":{},\"tls\":{}}" providerName=letsencrypt.acme
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware acme-http@internal" routerName=acme-http@internal middlewareType=TracingForwarder middlewareName=tracing entryPointName=web
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix routerName=dashboard@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
time="2021-07-22T19:38:02+02:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal routerName=dashboard@internal entryPointName=traefik
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-07-22T19:38:02+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:02+02:00" level=debug msg="Provider connection established with docker 20.10.7 (API 1.41)" providerName=docker
time="2021-07-22T19:38:02+02:00" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"web\",\"websecure\",\"traefik\"],\"middlewares\":[\"auth\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.mydomain.de`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}},\"whoami\":{\"entryPoints\":[\"web\",\"websecure\"],\"service\":\"whoami-whoami\",\"rule\":\" Host(`whoami.mydomain.de`)\",\"tls\":{\"certResolver\":\"letsencrypt\"}}},\"services\":{\"traefik-traefikv2\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.2:80\"}],\"passHostHeader\":true}},\"whoami-whoami\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.18.0.3:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"auth\":{\"basicAuth\":{\"users\":[\"admin:$apr1$dpFPzdJp$7J.lyKBXmwe4U3NycF1hJ1\"]}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2021-07-22T19:38:02+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding certificate for domain(s) traefik.mydomain.de"
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding certificate for domain(s) www.mydomain.de"
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding certificate for domain(s) whoami.mydomain.de"
time="2021-07-22T19:38:02+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal middlewareName=tracing
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-07-22T19:38:02+02:00" level=debug msg="Added outgoing tracing middleware acme-http@internal" routerName=acme-http@internal entryPointName=web middlewareName=tracing middlewareType=TracingForwarder
time="2021-07-22T19:38:02+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-07-22T19:38:02+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding certificate for domain(s) traefik.mydomain.de"
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding certificate for domain(s) www.mydomain.de"
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding certificate for domain(s) whoami.mydomain.de"
time="2021-07-22T19:38:03+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:03+02:00" level=debug msg="Added outgoing tracing middleware acme-http@internal" middlewareName=tracing middlewareType=TracingForwarder routerName=acme-http@internal entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-07-22T19:38:03+02:00" level=debug msg="Added outgoing tracing middleware api@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=api@internal middlewareName=tracing
time="2021-07-22T19:38:03+02:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder routerName=dashboard@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_stripprefix@internal entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
time="2021-07-22T19:38:03+02:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=web routerName=api@docker middlewareName=tracing middlewareType=TracingForwarder
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" routerName=api@docker middlewareName=auth@docker middlewareType=BasicAuth entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding tracing to middleware" routerName=api@docker middlewareName=auth@docker entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" entryPointName=web routerName=whoami@docker middlewareName=pipelining middlewareType=Pipelining serviceName=whoami-whoami
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating load-balancer" routerName=whoami@docker serviceName=whoami-whoami entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating server 0 http://172.18.0.3:80" entryPointName=web routerName=whoami@docker serviceName=whoami-whoami serverName=0
time="2021-07-22T19:38:03+02:00" level=debug msg="Added outgoing tracing middleware whoami-whoami" entryPointName=web routerName=whoami@docker middlewareName=tracing middlewareType=TracingForwarder
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=websecure middlewareName=traefik-internal-recovery
time="2021-07-22T19:38:03+02:00" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2021-07-22T19:38:03+02:00" level=debug msg="No default certificate, generating one"
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding route for traefik.mydomain.de with TLS options default" entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding route for whoami.mydomain.de with TLS options default" entryPointName=web
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding route for whoami.mydomain.de with TLS options default" entryPointName=websecure
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding route for traefik.mydomain.de with TLS options default" entryPointName=websecure
time="2021-07-22T19:38:03+02:00" level=debug msg="Adding route for traefik.mydomain.de with TLS options default" entryPointName=traefik
time="2021-07-22T19:38:03+02:00" level=debug msg="Try to challenge certificate for domain [traefik.mydomain.de] found in HostSNI rule" routerName=api@docker rule="Host(`traefik.mydomain.de`)" providerName=letsencrypt.acme
time="2021-07-22T19:38:03+02:00" level=debug msg="Try to challenge certificate for domain [whoami.mydomain.de] found in HostSNI rule" providerName=letsencrypt.acme routerName=whoami@docker rule=" Host(`whoami.mydomain.de`)"
time="2021-07-22T19:38:03+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"whoami.mydomain.de\"]..." providerName=letsencrypt.acme routerName=whoami@docker rule=" Host(`whoami.mydomain.de`)"
time="2021-07-22T19:38:03+02:00" level=debug msg="No ACME certificate generation required for domains [\"whoami.mydomain.de\"]." routerName=whoami@docker rule=" Host(`whoami.mydomain.de`)" providerName=letsencrypt.acme
time="2021-07-22T19:38:03+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.mydomain.de\"]..." providerName=letsencrypt.acme routerName=api@docker rule="Host(`traefik.mydomain.de`)"
time="2021-07-22T19:38:03+02:00" level=debug msg="No ACME certificate generation required for domains [\"traefik.mydomain.de\"]." providerName=letsencrypt.acme routerName=api@docker rule="Host(`traefik.mydomain.de`)"

Or does the log somehow indicate that the default certs are assigned and the ACME certs are not used?

Hello @jhoos70,

Did you use the LetsEncrypt staging environment to test with? If so, you have to clear out your acme.json file before using the production endpoint.

No, I didn't use staging. I recreated ACME certs a few days ago by deleting the ACME.json and on the next run they were recreated by traefik.

In Firefox https://whoami.mydomain.de is working. Firefox shows me a valid letsencrypt cert created on 15th of july. But thinking this could be some sort of cache situation.

What i am seeing in the curl output is that traefik tries to use certs from /etc/ssl/certs while the ACME dir is mounted to /etc/traefik/ACME.

I am not sure if it is a problem, but you enabled both httpChallenge and tlsChallenge for the letsencrypt resolver.

Thanks, i`ll try that. Thought any first method that works wins and both can coexist but who knows.

Finally solved my problem. The ports 80 and 443 on the host were occupied by some other services. Traefik didn't throw errors to the log but entering the traefik container and playing with the traefik command gave me the right hint.